404

Error!

We've reported it to the team.

Try again?

464281808184980705:YNK01-NPPRY14:1503512784:1231

CNET también está disponible en español.

Ir a español

Don't show this again

This week in security

Flaw researcher at Black Hat security conference gets into a legal dust up with Cisco. Also: Hunting for file format bugs.

Cisco Systems on Wednesday threatened legal action to keep a researcher from further discussing a hack into its router software.

The request for a temporary restraining order, filed jointly by Cisco and Internet Security Systems, targeted former ISS researcher Michael Lynn and the organizers of the Black Hat security conference. The companies took action after Lynn showed in a presentation how attackers could take over Cisco routers--a problem that he said could bring the Internet to its knees. Specifically, Lynn outlined how to run attack code on Cisco's Internetwork Operating System by exploiting a known security flaw in IOS. The software runs on Cisco routers, which make up the infrastructure of the Internet.

Lynn told the audience that he had quit his job as a researcher at ISS to deliver the presentation, after ISS had decided to pull the session.

The dispute, however, was settled a day later, when all parties agreed to a permanent injunction barring them from further discussing the presentation Lynn gave. The injunction also requires Lynn to return any materials and disassembled code related to Cisco.

Lynn on Thursday said that despite all the legal wranglings he faced this week, demonstrating an attack on Cisco's router software was the right call.

"I think I did the right thing. It was pretty scary, but the real important thing was: There was the potential of (a) serious problem," Lynn said.

Finding vulnerabilities is big business, and new tools could help bug hunters find vulnerabilities in popular file formats, such as the JPEG and GIF image formats.

Some of those bugs can be serious: A victim's PC could be hijacked by simply viewing an image on a Web site or in an e-mail. Microsoft issued three "critical" security bulletins earlier this month, two related to file format flaws.

There could be a significant increase in the discovery of such flaws. iDefense, a security intelligence company, is making available tools that let researchers automate the discovery of file format vulnerabilities. The company released the tools Thursday in conjunction with the Black Hat security conference.

Close
Drag
Autoplay: ON Autoplay: OFF